Defending And Harnessing The Bit-Flip Based Adversarial Weight Attack
Defending and Harnessing the Bit-Flip based Adversarial Weight Attack Zhezhi He† , Adnan Siraj Rakin† , Jingtao Li, Chaitali Chakrabarti and Deliang Fan School of Electrical, Computer and Energy Engineering, Arizona State University, Tempe, AZ 85287 zhezhihe@asu.edu, dfan@asu.edu Abstract Sensitive Low Volume DNN BatchNorm On Bias and etc. Chip Recently, a new paradigm of the adversarial attack on the quantized neural network weights has attracted great attention, namely, the Bit-Flip based adversarial weight attack, aka. Bit-Flip Attack (BFA). BFA has shown extraordinary attacking ability, where the adversary can malfunction a quantized Deep Neural Network (DNN) as a random guess, through malicious bit-flips on a small set of vulnerable weight bits (e.g., 13 out of 93 millions bits of 8-bit quantized ResNet-18). However, there are no effective defensive methods to enhance the fault-tolerance capability of DNN against such BFA. In this work, we conduct comprehensive investigations on BFA and propose to leverage binarizationaware training and its relaxation – piece-wise clustering as simple and effective countermeasures to BFA. The experiments show that, for BFA to achieve the identical prediction accuracy degradation (e.g., below 11% on CIFAR-10), it requires 19.3 and 480.1 more effective malicious bitflips on ResNet-20 and VGG-11 respectively, compared to defend-free counterparts. Insensitive High Volume Weight Core Off Chip DRAM RHA (a) Concept illustration of quantized DNN under BFA. accuracy (%) 75 50 25 0 5 Without defense With defense 10 15 20 25 30 35 40 number of bit-flips (b) Accuracy vs. # bit-flips with/without defense. Figure 1: The fault injection on the identified vulnerable weight bits can be physically conducted by Row-Hammer Attack (RHA) [19]. Meanwhile, the DNN under defense has higher resistance against the malicious bit-flips. 1. Introduction As the Deep Neural Networks (DNNs) achieve humansurpassing performance in multiple computer vision related tasks, its applications in the real-world scenarios are growing rapidly. In such a scenario, the fault-tolerance capability of the neural network is of great research interest for developing reliable neural networks against weak random fault and even strong malicious attacks. A significant amount of research effort has focused on DNNs being fooled by human-imperceptible input noise, aka. adversarial example. However, another vulnerable dimension of DNN is model parameters, which has been barely investigated. Owing to the enormous model size (hundreds of MBs for state-of-the-art DNNs [9, 24]), modern DNN accelerators (e.g., GPU) normally need to store the model parameters in main memory, namely, Dynamic Random-Access-Memory (DRAM). Recent research advances have brought up the vulnerability issue of data stored in DRAM, where RowHammer Attack (RHA) [19] has been shown to maliciously flip the memory bits in DRAM without being granted any data write privileges, as depicted in Fig. 1. Unfortunately, DNNs stored in DRAM with floating-point representation can be easily hacked to fully malfunction, through single bit-flip (e.g. in an exponential bit of any weight) through RHA [8]. Thanks to the DNN weight quantization technique, DNN is more compact since the weights are represented in a fixed-point format with constrained representation. Such a representation has been proven to significantly enhance the immunity of quantized DNN to such malicious bit-flips in [8]. However, a newly proposed Bit-Flip Attack (BFA) [17] whose progressive bit searching algorithm can † These authors contributed equally Code is released at: https://github.com/elliothe/BFA 1
successfully identify and flip an extremely small number of vulnerable weight bits (e.g., 13 out of 93 millions bits of ResNet-18 on ImageNet) to degrade a large scale 8-bit quantized DNN inference accuracy to as low as a random guess (i.e., from 69.8% to 0.1%). Up to now, there is still a lack of effective defensive approaches against such BFA, and so we propose a BFA countermeasure based on utilizing weight binarization and its relaxation – piece-wise clustering. The contributions in this work can be summarized as: A comprehensive investigation of bit-flip based adversarial weight attack (i.e., BFA) is conducted, and several insightful observations are obtained for understanding parameter vulnerability to these attacks. Weight binarization and its piece-wise clustering relaxation method are proposed as the effective defensive techniques against BFA. the ground-truth t to perform the attack. L(·, ·) computes the loss. The attack efficiency is measured by the Hamming distance (i.e., effective bit-flips) between prior- and i L post-attack model parameters {B̂l }L l 1 and {Bl }l 1 given P i by D(B̂l , Bl ). In general, the optimization goal of BFA is to cause the DNN to malfunction with least number of P i bit-flips (i.e., min D(B̂l , Bl )). Table 1: Threat model of Bit-Flip Attack (BFA). Access Required Access NOT Required Model topology & parameters Hyper-parameters and other training configurations. A mini-batch of sample data Complete train/test datasets. 2. Background and Related Works It is noteworthy that the quantized weight in fixed-point format is magnitude constrained (i.e., max(B) 2nq 1 ) in comparison to the floating-point counterpart, which is not only more biologically plausible but also practically necessary for the acceleration of modern AI applications. To clarify, we use the same threat model as in prior work [17], which is listed in Table 1. 2.1. Bit-Flip based Adversarial Weight Attack 2.2. Defense against Adversarial Example The bit-flip based adversarial weight attack, aka. BitFlip Attack (BFA) [17], is an adversarial attack variant which performs weight fault injection through flipping the bits. For the machine-imperceptible purpose, the BFA only flips the most vulnerable weight bits which are identified by Progressive Bit Search (PBS) algorithm with iterative interand intra-layer search. Given a nq -bit quantized DNN parameterized by bits (i.e., quantized weights in binary), define tensor {Bl }L l 1 , where l {1, 2, ., L} is the layer index. The intralayer search that identifies the bit with highest gradient (arg maxBl Bl L ) as vulnerable bit candidate, where L is the inference loss. Then, the inter-layer searching compares the bit candidates selected by the intra-layer search through directly checking the loss increment. Thus, the bit searching in iteration i can be formulated as an optimization process [17]: i L max L f x; { B̂ } , t̃ l l 1 i As the BFA is an adversarial attack variant, the popular techniques used to defend adversarial example [5] are investigated to seek potential BFA defense method. Adversarial Training. Adversarial training [5, 15] is by-far the most successful adversarial example defense method, that optimizes the DNN parameters θ w.r.t both the clean input x and their adversary examples x̂ as: Additional adversarial attack defense methods (e.g., adversarial training, pruning) and conventional model regularization methods are examined as well. {B̂l } s.t. t̃ f (x; {Bl }L l 1 ); L X (1) i D(B̂l , Bl ) {0, 1, ., Nb } min L(f (x; θ), t) α · L(f (x̂; θ), t̃) θ (2) where α is the hyper-parameter to balance the accuracy of the trained model on clean natural data and adversarial examples. t̃ is the soft-label as in Eq. (1). Such adversarial training is also normally considered as a strong regularization technique. Increasing model capacity. Prior works [15, 7] have experimentally confirmed the resistance improvement against the adversarial attack by increasing the model capacity. It is interpreted as that the robust classifiers would require a more complicated decision boundary [15], which is expected to benefit the defense against malicious weight change as well. Further in-depth analysis of model capacity and BFA resistance is discussed in Section 6. l 1 where x and t denotes the selected input mini-batch and i B̂l ground-truth labels. is the quantized bit tensor of l-th layer perturbed by BFA in i-th iteration. f (x; {B}L l 1 ) compute the outputs of DNN parameterized by {Bl }L l 1 . t̃ is the output of clean model as the soft-label, which replaces 3. DNN under BFA 101 To first understand, then to defend and harness the bitflip based adversarial weight attack, we conducted some preliminary investigations, along with several important observations as described below.
weight after attack trial seed 63 trial seed 922 trial seed 1764 trial seed 2802 trial seed 3665 90 80 100 70 60 0 50 40 30 100 20 100 0 100 weight before attack 100 0 100 weight before attack 100 0 100 100 weight before attack 0 100 100 weight before attack 0 100 weight before attack weight after attack (a) ResNet-20 [6] with 8-bit weight. Bit-flips NBF for BFA (mean std):11.2 1.9, total number of bits of weights: 2 millions. trial seed 176 trial seed 1946 trial seed 3569 trial seed 7778 trial seed 9264 90 80 100 70 60 0 50 40 30 100 20 100 0 100 weight before attack 100 0 100 weight before attack 100 0 100 100 weight before attack 0 100 100 weight before attack 0 100 weight before attack (b) VGG-11 [20] with 8-bit weight. Bit-flips NBF for BFA (mean std):56.6 35.2, total number of bits of weights: 78 millions. Figure 2: Weight shift caused by BFA for (a) ResNet-20 [6] and (b) VGG-11 [20] on CIFAR-10 dataset. For both architectures, 5 trials are executed with different random seeds. Each colored dot depicts the weight shift (x-axis: prior-attack weight, y-axis: post-attack weight) w.r.t one iteration of BFA. The color bar indicates the corresponding accuracy (%) on the CIFAR-10 test data. The vertical distance between dot and the diagonal dashed line (i.e., y x) represents the weight shift magnitude. Moreover, results reported in this figure use 8-bit post-training weight quantization [17]. Observation 1 BFA is prone to flip bits of close-to-zero weights, and cause large weight shift. 0.10 trial seed: 1764 trial seed: 3665 trial seed: 2802 trial seed: 922 trial seed: 63 0.08 0.06 As depicted in Fig. 2, the progressive bit search proposed in BFA [17] is prone to identify vulnerable bit in the weight whose absolute value has a small magnitude (i.e., w 0) then modify it to be a large value (explained in the caption of Fig. 2). Since the BFA performs the attack on the quantized weight encoded in two’s complement, the possible weight magnitude shift is discretized as 2i , i {0, 1, ., nq }. Moreover, Fig. 2 also shows the model with larger capacity possesses higher resistance against BFA (i.e., require more bit-flips for same accuracy degradation). Observation 2 BFA is prone to flip the weight bits in the front-end layers of the target neural network. Fig. 3 shows the histogram of bit-flips across different modules1 of DNN under BFA. All the trials show that most of the bits found by BFA are mostly in the front-end, along the forward propagation path. Such an observation can be explained as the error introduced by the bit-flips in the frontend can be easily accumulated and amplified during the forward propagation, which is similar to the linear explanation of adversarial example discussed in [5]. 1 module index includes all modules within DNN, where small to large index denotes the location from front to rear along the inference path. 0.04 0.02 0.00 0 10 20 0.15 30 40 module idx trial seed: 7778 trial seed: 9264 trial seed: 3569 trial seed: 176 trial seed: 1946 0.10 0.05 0.00 50 0 5 10 15 module idx 20 25 Figure 3: Normalized histogram and Kernel Density Estimation (KDE) of #bit-flips versus module index in (top) ResNet-20 and (bottom) VGG-11 on CIFAR-10. Observation 3 BFA forces almost all the inputs to be classified into one particular output group. Fig. 4 depicts the top-1 categorization output of DNN on CIFAR-10 test data, at different BFA iterations. The CIFAR-10 test subset includes 1000 samples on 10 output categories (i.e., total 10k samples). The BFA-free clean
iter 0 iter 3 iter 6 iter 9 iter 12 airplane automobile bird cat deer dog frog horse ship truck 0 1000 0 1000 0 2500 0 5000 0 (b) Binarization Wfp l 1 . (c) Binarization Wbl 1 . (d) Piecewise Clustering Wl 1 . 10000 Figure 4: The evolution of ResNet-20 output classification histogram across 10 categories under BFA, on 10k test samples of CIFAR-10. The attack sample size is 128. model, at iteration 0, has almost evenly distributed top1 classification output predictions in each output category. It is intriguing to notice that, with the evolution of BFA, it forces almost all inputs to be classified into one output group. We also find that the dominant output group highly depends on the given attack sample data. 4. Defense against BFA To enhance the resistance of DNN against BFA, we propose and investigate two defense techniques, i.e., Binarization-aware training and its relaxation – piece-wise weight clustering, inspired by the observations in Section 3. 4.1. Binarization-aware training binarization-aware training is originally proposed as an extreme low bit-width model compression technique, which converts the weights from 32-bit floating-point to {-1, 1} binary format encoded by 1-bit [18]. Here, the binarizationaware training is leveraged as a defense technique against BFA, which can be mathematically described as: fp b Forward : wl,i E( Wfp l ) · sgn(wl,i ) L L Backward : b fp wl,i wl,i (a) Vanilla training Wl 1 . (3) b where sgn() is the sign function. wl,i denotes the binarized fp weight from its floating-point counterpart wl,i . In general, weight binarization intrinsically achieves two goals: 1) reducing the bit-width to 1, and 2) clustering the weights to E( Wfp l ) as in Eq. (3). The Straight Through Estimator (STE) [2] is adopted to address the non-differential problem for the sign function as prior works [10]. Nevertheless, different from STE in [10], the gradient clipping constraint is omitted from the backward path, thanks to the presence of weight scaling coefficient E( Wfp l ). Our interpretation of the BFA resistance enhancement through binarization-aware training comes in twofold: 1) Figure 5: The evolution of weight distribution of ResNet20 (first layer, l 1), under various training configurations. x-axis: weight magnitude, y-axis: training epoch. As discussed in observation-1, BFA is prone to attack the close-to-zero weights and cause the large weight shift. The weight binarization eliminates close-to-zero weights by forcing all the weights to E( Wfp l ), where the weight distribution of sampled layer is illustrated in Fig. 5c. 2) Binarization-aware training intrinsically acts as training the DNN with bit-flip noise injected. As described in Eq. (3), the floating-point weight base {Wfp l } are binarized on-thefly during training. Recalling the optimization using SGD, the weight change wfp can be expressed as: wfp η · wfp L(f (x, {Wfp }); t) (4) where η is the learning rate. Due to the presence of Eq. (3), even small weight update on wfp (i.e., wfp wfp ) may directly change the corresponding binarized weight wb from -1 to 1 or the opposite as a bit-flip, when the following condition is meet: sgn(wfp wfp ) 6 sgn(wfp ) (5) Therefore, the binarization-aware training involves massive bit-flips on the binarized weight W fp , which mimics injecting the bit-flips noise on the weights during training. Fig. 6 depicts the average number of bit-flips caused by the weight update when training a binarized ResNet-20, each iteration may cause around 300 bit-flips on the binarized weights even when the learning rate is 0.001. 4.2. Clustering as relaxation of binarization Since weight binarization normally suffers from significant prediction accuracy degradation due to aggressive model capacity reduction, we propose a relaxation to the weight binarization, called Piece-wise Clustering (PC), to emit the fixed single bit-width constraint while retaining
85.5 8 6 90.23 89.48 89.59 88.3 Nq 88.36 87.0 90.01 90.39 89.05 88.2 4 4 91.33 90.77 89.55 84.65 88.5 VGG11, Top-1 test accuracy of Clean model 1 90.0 92.21 90.98 90.44 84.88 0.0005 0.001 0.005 0 46.4 74.8 45.5 40.8 55.3 70.4 45.3 VGG11, Mean of NBF 7500 500 8 6 29.3 16.4 14.2 29.79 30 20.6 31.4 11.4 11.6 49.3 82.59 78 52.79 7874 6000 400 4500 Nq Nq 300 87.2 86.4 6 43.5 88.0 0.0001 0.0005 0.001 4 8 58.79 88.8 88 NBF 46.4 4 ResNet20, Mean of 28 89.6 88.26 86.94 85.82 86.19 1 0 Figure 6: Average #Bit-flips (y-axis) per weight update iteration of binarization-aware training vs. epochs (x-axis), with ResNet-20 on CIFAR10. 91.5 91.84 91.29 90.02 85.58 1 Nq 6 8 ResNet20, Top-1 test accuracy of Clean model 200 3000 1 1500 similar functionality of clustering, which we believe play an important role in defending BFA. The piece-wise clustering introduces an additional weight penalty to the inference loss L (e.g., cross-entropy), and the optimization can be formulated as: 100 541.2 0 0.0005 0.001 0 0.005 ResNet20, standard deviation of NBF λ· E(W l ) 2 W l NBF 8 1.14 0.45 11.3 6 6 0.89 4.24 3.6 2.07 3.39 43.17 11.73 4.15 431.6 400 40 15.59 8.734 6.3 6.9 12.82 6.5 32 24 240 Nq 11.43 Nq 6 320 2.38 160 16 1 ( W l VGG11, standard deviation of 8.5 4 4.14 1 8 10.57 {Wl }L l 1 L X 0.001 48 4.47 4 min Ex L(f (x, {Wl }L l 1 ), t) 0.0001 0.0005 E(W l ) 2 ) (6) 49.8 0 8 0.0005 0.001 0.005 80 0 0.0001 0.0005 0.001 l 1 {z piece-wise clustering penalty term } where λ is the clustering coefficient to tune the strength of the weight clustering penalty term. W l and Wl denote the positive and negative weight subset of l-th layer weight tensor. The DNN model optimized as Eq. (6) leads to a bi-modal weight distribution as depicted in Fig. 5d. The piece-wise clustering proposed above can also be viewed as a variant of group Lasso, where the group is defined as the positive and negative weight subsets in each layer. 5. Experiments 5.1. Experiment Setup Dataset and Network Architectures In this work, experiments are focused on visual dataset CIFAR-10 [12], which includes 60k 32 32 RGB images evenly sampled from 10 categories, with 50k and 10k samples for training and test respectively. The data augmentation technique is identical as reported in [6]. The ResNet-20 [6] and VGG-11 [20] are the two networks studied in the work. We use the momentum-based stochastic gradient descent optimizer, with training batch-size and weigh decay as 128 and 3e-4 respectively. The initial learning rate is 0.1 that scaled by 0.1 at 80 and 120 epochs, and the total number of epochs is 160. Note that, all the experiments are conducted using Pytorch [16], running on NVIDIA Titan-XP GPUs. Figure 7: The BFA-free test accuracy, mean and standard deviation of NBF for 5-trials under different quantization bit-width nq {8, 6, 4, 1} and clustering penalty coefficient λ {0, 1e 4, 5e 4, 1e 3, 5e 3}, with (left column) ResNet-20 and (right column) VGG-11 on CIFAR-10. BFA Configuration. To evaluate the effectiveness of the proposed defense methods, the code from [17] is utilized with further modification. The number of bit-flips NBF that degrades the prediction accuracy below 11% is used as the metric to measure the BFA resistance, for CIFAR-10 dataset. Moreover, since BFA requires a set of data to perform the attack, we take 256 sample images from the training subset as the default BFA configuration and report the mean std of NBF with 5 BFA trials. Note that, all the quantized DNN reported hereafter still uses the uniform quantizer as in [17], but with quantization-aware training instead of post-training quantization. 5.2. Result Evaluation The experiment results with different quantization bitwidth nq and clustering coefficient λ of piecewise clustering are summarized in Fig. 7. It reports the BFA-free test accuracy and number of bit-flips NBF required for BFA to succeed. Note that, for weight binarization in Fig. 7, we exclude the Piece-wise Clustering (PC) term through setting
λ 0, since binarization intrinsically performs the clustering as discussed in Section 4.1. Effect of quantization bitwidth and clustering coefficient. Based on the results reported in Fig. 7, training the DNN with binarized weights roughly degrade the test accuracy by 4% and 2% in comparison to the 8-bit quantized counterpart, for ResNet-20 and VGG-11. As discussed in Section 4.2, our intention of proposing the piecewise clustering as the relaxation to weight binarization is to mitigate such accuracy drop. We do observe that using piece-wise clustering with proper λ can mitigate the accuracy degradation while improving the BFA resistance (i.e., requiring more bit-flips NBF for the same accuracy degradation). For ResNet-20 and VGG-11, the ideal configurations of λ are 0.001 and 0.0005 respectively, as the model with larger capacity benefits from relatively smaller λ. BFA resistance of ResNet-20. The 8-bit quantized ResNet-20 (baseline) requires only an average of 28 bit-flips to hamper the functionality of an accurate DNN, while the weight binarization significantly improves the BFA resistance compared to the baseline. Binarization increases the average value of NBF to 541.2, which improve the BFA resistance by 19 . Nevertheless, considering the inevitable accuracy drop due to the drastic bit-width reduction (32-bit to 1-bit), as an alternative approach we explore the performance of PC on other bit-width configurations as well. With λ 1e 3, the average value of NBF was improved by 2.09 , 2.55 and 1.73 for 8, 6 and 4 bit-width respectively. In conclusion, our proposed piece-wise clustering improves the resistance to adversarial weight attack for all the cases of different bit-widths. Still, the binarized network emerges as the most successful defense against BFA. BFA resistance of VGG-11. For VGG-11, our observation follows a similar pattern as described in the previous section. The baseline VGG-11 (e.g., nq 8) requires an average NBF of 16.4. Again, weight binarization improves the network robustness significantly, yielding an average NBF of 7874; which is 480 improvement in comparison to the baseline. In the case of VGG-11, the lower BitWidth defends BFA even better than ResNet-20; the main reason for this discrepancy can be the difference between the size of the network. For a larger network such as VGG11, low Bit-Width and PC performs a proper regularization to successfully defend against BFA. The best performance of PC for VGG-11 was achieved for a 4-bit network with λ 1e 4 achieving an average value of NBF of 82.59. In summary, both the binarization-aware training and its piecewise clustering relaxation can improve the BFA resistance of the target neural network, while the binarizationaware training can push the NBF to an extremely large value (e.g., NBF 7000 on over-parameterized VGG-11). The implication of such large value is noteworthy, as a larger value of NBF indicates the significant increase in difficulty to carry out a memory fault injection through the feasible cyber-physical attacks. For example, when using the rowhammer attack to perform the fault injection, the increased attack execution time might be detected by the operating system through the data integrity check. 5.3. Comparison of Alternative Defense Methods Adversarial weight attack [17] is a recently developed security threat model for modern DNN. Subsequently, the development of defensive approaches in this field has not received much attention. Therefore, for the first time, we investigate an alarming parameter security concern – bitflip based adversarial weight attack, with corresponding defense method. Owing to the lack of competing methods in this research direction, we attempt to transfer several conventional defense methods of adversarial examples [15, 3, 22], for providing a comprehensive comparison. Table 2: Alternative Methods Comparison. In this table, we report the prior- and post-attack test accuracy (%) and NBF of BFA. The 8-bit quantization is chosen as the baseline; Binary and PC-8bit is the proposed method. Moreover, comparison with Lasso-based pruning and adversarial weight training (adv. training) is included as well. Methods Prior-Attack Accuracy (%) Post-Attack Accuracy (%) NBF 8-bit PC-8bit Binary Lasso Pruning Adv. Training 91.84 90.02 88.36 88.11 87.72 10.45 10.07 10.13 10.12 10.09 28.0 4.47 58.79 4.14 541.2 49.8 6.8 0.44 9.6 6.58 Weight Pruning. Both the activation and weight pruning have been investigated as the defense against adversarial example [21, 3]. Such pruning techniques involve the stochastic process during the inference which suffers from gradient obfuscation [1] which is a common reason for the failure of adversarial input defenses. Nevertheless, we investigate the effectiveness of network pruning to resist adversarial weight attack as an alternative approach. To achieve this, we train a regular network with Lasso loss function to shrink most of the weights to an extremely low value. Thus, we can rewrite the loss function with additional L1 -norm penalty as: min L(f (x, {Wl }); t) β · {W} L X Wl 1 (7) l 1 where β is the coefficient to tune the pruning strength. Through training with Eq. (7), we expect the weight tenor
to be in a highly sparse representation. The intuition behind pruning working as an adversarial weight defense can be summarized as: In a sparse network, we consider these zero-valued weights will not have any physical connection (pruned) to conduct a bit-flip attack, thus making them immune from BFA. As a result, the attacker is left with only a few portions of the weights which he/she can alter to perform the BFA. Nevertheless, as shown in Table 2, such a sparse regularized network is even more vulnerable to adversarial weight attack, requiring on average just 6.8 bit-flips to hamper the functionality of target DNN. Since a large portion of the weights was pruned, the remaining weights contain large significance in maintaining accurate network performance. So altering any of the remaining non-zero weights still manages to degrade network performance significantly. Adversarial Weight Training. Inspired by the adversarial training [15, 4], we attempt to adopt the same idea and create a BFA-based adversarial training as an alternative approach to compare with our proposed method. We modified the adversarial training objective in Eq. (2) to serve the purpose of adversarial weight training: min L(f (x; {B}), t) αL(f (x; {B} {BBFA }), t) {B} (8) s.t. {BBFA } {B̂} {B} where {BBFA } is the different between BFA-perturbed weight bits {B̂} and its BFA-free counterpart {B}. During the model training, {BBFA } is run-time generated as the additive constant offset on the model weights. The result of adversarial training is shown in Table 2, where it does not show the improvement of BFA resistance from such adversarial weight training. Our interpretation of the defense failure is summarized in the following. When performing the adversarial training with the adversarial examples, each natural image owns similar adversarial examples even with a different random seed. However, for the bit-flip based adversarial weight attack, using a single natural image as the attack sample will lead to massive different combinations of vulnerable weight bits, while BFA just provides one combination in a greedy way. Thus, performing the adversarial weight training with all the vulnerable weight bit combinations is not a feasible approach. In the end, through the comparison of all the potential defense methods listed in Table 2, we conclude that the binarizationaware training and the piecewise clustering are the effective defense methods. 6. Analysis Effect of Network Width. In prior works [14, 7], enhance the capacity of target DNN via increasing the layer width is recognized as an effective method to defend adversarial example. In this work, it is expected that the DNN capacity also plays a positive role in defending against BFA. We summarize the performance of BFA by varying the width of the network in Table 3. Table 3: Effect of Network Width. The ResNet-20 [6] with different width configuration (1 ,2 and 4 ) are reported. All the networks use 8-bit quantization. ResNet-20 ResNet-20 (PC) Baseline (1 ) 2 4 28.0 4.47 58.79 4.14 26.2 2.68 47.2 8.04 36.4 12.44 72 18.79 In the first row of Table 3, we observe that ResNet-20 becomes more resilient to BFA with network width 4 than the baseline. However, the difference between the performance of the baseline and network with 2 width is barely distinguishable. In the second row of Table 3, a similar pattern is also observed utilizing our proposed piece-wise clustering method. Our proposed method with 4 width requires on average 72 bit-flips to cause complete malfunction of ResNet-20 architecture. In conclusion, similar to the observations from adversarial example [15, 7], increasing the network capacity by a large amount will enhance the robustness against BFA. Conclusion 1 Increasing the network capacity improves the resistance to bit-flip based adversarial weight attack. Effect of Batch-Normalization and Dropout Nowadays, the presence of Batch-Normalization (BN) layer in the deep neural network is customary to accelerate the training of DNN [11], by normalizing the hidden features that forwarded along the inference path. On the other hand, an adversarial weight attack introduces variance in the weight tensor through malicious bit-flips on the weight bits, which changes the hidden features correspondingly. Taken the batch normalization into consideration, we expect the BN layer to stabilize the hidden feature errors caused by the malicious weight bit-flips. As the result listed in Table 4, we remove the BN layer (case 2) from our baseline model (case 1). We observe that once the BN layer was removed from the VGG-11 network, i
Additional adversarial attack defense methods (e.g., adversarial training, pruning) and conventional model regularization methods are examined as well. 2. Background and Related Works 2.1. Bit Flip based Adversarial Weight Attack The bit-flip based adversarial weight attack, aka. Bit-Flip Attack (BFA) [17], is an adversarial attack variant
Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .
May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)
̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions
Dr. Sunita Bharatwal** Dr. Pawan Garga*** Abstract Customer satisfaction is derived from thè functionalities and values, a product or Service can provide. The current study aims to segregate thè dimensions of ordine Service quality and gather insights on its impact on web shopping. The trends of purchases have
On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.
Chính Văn.- Còn đức Thế tôn thì tuệ giác cực kỳ trong sạch 8: hiện hành bất nhị 9, đạt đến vô tướng 10, đứng vào chỗ đứng của các đức Thế tôn 11, thể hiện tính bình đẳng của các Ngài, đến chỗ không còn chướng ngại 12, giáo pháp không thể khuynh đảo, tâm thức không bị cản trở, cái được
Windows XP Professional 32-Bit/64-Bit, Windows Vista Business 32-Bit/64-Bit, Red Hat Enterprise Linux WS v4.0 32-bit/64-bit, Red Hat Enterprise Desktop v5.0 32-bit/64-bit (with Workstation Option), SUSE Linux Enterprise (SLE) desktop and server v10.1 32-bit/64-bit Resources Configuration LUTs
Food outlets which focused on food quality, Service quality, environment and price factors, are thè valuable factors for food outlets to increase thè satisfaction level of customers and it will create a positive impact through word ofmouth. Keyword : Customer satisfaction, food quality, Service quality, physical environment off ood outlets .
